On Monday, June 9, 2014, CrowdStrike publicly released a report on a group called Putter Panda, a cyber espionage actor that conducts operations from Shanghai, China, likely on behalf of the Chinese People’s Liberation Army (PLA) 3rd Department 12th Bureau Unit 61486. Putter Panda is a determined adversary group, conducting intelligence-gathering operations targeting the Government, Defense, Research, and Technology sectors in the United States, with specific targeting of space, aerospace, and communications.

They are a determined adversary group, conducting intelligence-gathering operations targeting the Government, Defense, Research, and Technology sectors in the United States, with specific targeting of space, aerospace, and communications.

The group has been operating since at least 2007 and has been observed heavily targeting the US Defense and European satellite and aerospace industries.

They focus their exploits against popular productivity applications such as Adobe Reader and Microsoft Office to deploy custom malware through targeted email attacks.

CrowdStrike identified Chen Ping, aka cpyy, a suspected member of the PLA responsible for procurement of the domains associated with operations conducted by Putter Panda.

Key Takeaways

Additional Information:

Why is CrowdStrike releasing this report?

The public disclosure of this information continues to keep the pressure on after the recent United States indictments of five PLA members associated with the Comment Panda threat group. The PRC called those charges “ungrounded and absurd,” and keeps asking for more evidence. In response to repeated, legitimate, and well-documented evidence of criminal activity the PRC predictably responds with denials, redirection, and intimidation. Targeted economic espionage campaigns compromise technological advantage, diminish global competition, and ultimately have no geographic borders. We believe the U.S. Government indictments and global acknowledgment and awareness are important steps in the right direction. In support of these efforts, we are making this report available to the public to continue the dialog around this ever-present threat.

How did CrowdStrike obtain this information?

Analyzing adversary operations is what the CrowdStrike Intelligence team does. This information, while publicly available, relied on tenacious reverse engineering, intelligence analysis, and cultural/linguistic specialists. CrowdStrike currently tracks over 70 different threat actors, many to even deeper depth than the Putter Panda adversaries. This information reflects months of dedicated and persistent analysts pouring over every technical detail and connection to find attributable toolmarks.

For more information on Putter Panda, or any of the other adversaries tracked by the CrowdStrike Global Intelligence team, contact intelligence@crowdstrike.com